Nginx: installating, maintaining, and configuring with OpenSalt

written by Alan Cugler on 2024-04-04

Whats Nginx?

Nginx is one of the top applications for web traffic management. I personally love to use Nginx as a load balancer and reverse proxy for production. Even when applications provide their own web server to serve content, its easier to management many applications and websites with Nginx as the common point to configure, secure, and update routing.

Installing Nginx with Salt

The most secure way to install an application would be to download their gpg key and compare its verification hash to what you received. For Nginx, I could not find a published verification hash which isnt uncommon to be honest. Using Ubuntu as our demo VM we can configure the apt source management file and then trigger installation and enable nginx under systemd management.

Note

Make sure to update your salt top.sls file to ensure your salt minion is allowed to use this nginx.sls file. usually you can find it at /srv/salt/top.sls

# file: /srv/salt/nginx/init.sls


install_security_deps_nginx:
  pkg.installed:
    - pkgs:
      - gnupg2
      - ca-certificates
      - ubuntu-keyring

# can't find verification hashes from nginx
ensure_nginx_gpg_key_present:
  file.managed:
    - name: /etc/apt/keyrings/nginx_signing.key
    - source: https://nginx.org/keys/nginx_signing.key
    - skip_verify: True

# setting official nginx repository
ensure_nginx_repository_present:
  pkgrepo.managed:
    - humanname: official Nginx stable repository
    - name: |
        deb [signed-by=/etc/apt/keyrings/nginx_signing.key] 
        http://nginx.org/packages/mainline/ubuntu/ {{ grains.oscodename }} nginx
    - file: /etc/apt/sources.list.d/nginx.list
    - keyurl: https://nginx.org/keys/nginx_signing.key
    - aptkey: False
    - disabled: False
    - refresh: True
    - architectures: amd64

install_nginx:
   pkg.installed:
     - pkgs:
       - nginx

# start nginx application
nginx_for_systemd_enable:
  service.running:
    - name: nginx
    - enable: True

When executed you should get back something similar to this:

# salt \* state.apply nginx
demo-minion:
----------
          ID: install_security_deps_nginx
    Function: pkg.installed
      Result: True
     Comment: All specified packages are already installed
     Started: 16:50:51.798513
    Duration: 36.102 ms
     Changes:   
----------
          ID: ensure_nginx_gpg_key_present
    Function: file.managed
        Name: /etc/apt/keyrings/nginx_signing.key
      Result: True
     Comment: File /etc/apt/keyrings/nginx_signing.key updated
     Started: 16:50:51.836737
    Duration: 3.26 ms
     Changes:   
-              ----------
              diff:
                  New file
              mode:
                  0644
----------
          ID: ensure_nginx_repository_present
    Function: pkgrepo.managed
        Name: deb [signed-by=/etc/apt/keyrings/nginx_signing.key] 
http://nginx.org/packages/mainline/ubuntu/ jammy nginx

      Result: True
     Comment: Configured package repo 'deb [signed-by=/etc/apt/keyrings/nginx_signing.key] 
              http://nginx.org/packages/mainline/ubuntu/ jammy nginx
              '
     Started: 16:50:51.840789
    Duration: 8532.835 ms
     Changes:   
-              ----------
              repo:
                  deb [signed-by=/etc/apt/keyrings/nginx_signing.key] 
                  http://nginx.org/packages/mainline/ubuntu/ jammy nginx
----------
          ID: install_nginx
    Function: pkg.installed
      Result: True
     Comment: The following packages were installed/updated: nginx
     Started: 16:51:00.373780
    Duration: 7841.066 ms
     Changes:   
-              ----------
              nginx:
-                  ----------
                  new:
                      1.25.4-1~jammy
                  old:
----------
          ID: nginx_for_systemd_enable
    Function: service.running
        Name: nginx
      Result: True
     Comment: Service nginx is already enabled, and is running
     Started: 16:51:08.226680
    Duration: 88.846 ms
     Changes:   
-              ----------
              nginx:
                  True

Summary for demo-minion
------------
Succeeded: 5 (changed=4)
Failed:    0
------------
Total states run:     5
Total run time:  16.502 s

Systemd will also report Nginx running and under its management with a status check.

# systemctl status nginx
● nginx.service - nginx - high performance web server
     Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2024-04-09 16:51:08 UTC; 38s ago
       Docs: https://nginx.org/en/docs/
    Process: 1753530 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS)
   Main PID: 1753531 (nginx)
      Tasks: 3 (limit: 4667)
     Memory: 3.2M
        CPU: 12ms
     CGroup: /system.slice/nginx.service
             ├─1753531 "nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf"
             ├─1753532 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
             └─1753533 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""

Apr 09 16:51:08 ip-172-31-25-48 systemd[1]: Starting nginx - high performance web server...
Apr 09 16:51:08 ip-172-31-25-48 systemd[1]: Started nginx - high performance web server.
root@ip-172-31-25-48:~#

Nginx traffic configuration management

Nginx has a simple configuration layout to follow for serving traffic. All configuration files go into /etc/nginx/sites-available/ directory and then symlinked to the /etc/nginx/sites/enabled/ directory. This way you can configure without serving traffic by simply removing or abstaining the symlink file. Here I will use Calibre ebook server conf file for the demo.

# file: /srv/salt/state/nginx/calibre.sls

ensure_calibre_nginx_file_present:
  file.managed:
    - name: /etc/nginx/sites-available/calibre.conf
    - source: salt://nginx/files/calibre.conf
    - makedirs: True
    - create: True

# symlink available to enabled
symlink_calibre_available_to_enabled:
  file.symlink:
    - name: /etc/nginx/sites-enabled/calibre.conf
    - target: /etc/nginx/sites-available/calibre.conf
    - makedirs: True

# nginx will pick up the new configuration file.
nginx_load_keys:
  module.run:
    - name: nginx.signal
    - signal: reload
    - require:
      - ensure_calibre_nginx_file_present

Note

Salt is using signal:reload to ensure nginx reloads (not restarts) to gain the new configuration and begin serving as described in the new calibre.conf file.

Closing Thoughts

many application we may use to form our software suite are coded in different languages, developed in novel paradigms, and with different scope of use in mind. The http and https protocols are a standardization we can look to form stability and consistency with Nginx so as to not get tripped up by unfamiliar application configuration for public access. Salt can further ensure this application of stability can be easy to deploy and be securely maintained from configuration drift.